Re: passwd and permission user for ldapsearch

[German Poo Caaman~o <gpoo@ubiobio.cl>]

On Fri, 28 Jul 2000, Marcos Aurelio Domingues wrote:
> We've installed and configurated the ldap (and the pam ldap module) for
> authentication of linux passwords on our network. We've obtained success
> on it.  But we would like to deny ldapsearch permission for regular users
> of the network, so that they cannot see the encrypted string. How can we
> do this? We changed the permissions of /usr/bin/ldapsearch to 700 and it
> worked. But we think this is not secure because our users could get
> another ldapsearch executable file (we're interested in limiting the
> searches in the server side!).

Read the manual on the privileges pages. 

Something like that:

access to attr=userpassword
    by self         write
    by dn="cn=manager,dc=your_dc" write
    by *            compare

Restrcit ldapsearch definitively is a bad idea.

> [user@vega ~]# passwd
> Current UNIX password:
> New UNIX password:
> Retype new UNIX password:
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insuficient access
> 
> At the "Current UNIX password" and "Enter login(LDAP) password" we enter
> the current network password. At the "New UNIX password" and "New
> password", we type the new password, as desired by the user.

Are you using some linux version?
what version of pam_ldap and nss_ldap are you using?

I have the same problem some months ago.  The problem was the
pam_ldap module (AFAIR), but it was fixed.

-- 
German Poo Caaman~o
mailto:gpoo@ubiobio.cl
http://www.ubiobio.cl/~gpoo/chilelindo.html